Microsoft Angers Security Researchers With Boisterous Botnet Bust

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Researchers fuming after Microsoft botnet takedown ruins their own anti-cyber crime operations

Two security organisations have vented their frustration at Microsoft over the takedown of the Citadel botnet, and one researcher has taken it to task on its approach to fighting malicious networks of infected machines.

When Microsoft took down Citadel, it sinkholed over 4,000 domains used by the botnet masters, directing traffic from infected machines to its own clean servers.

But in doing so, Microsoft sinkholed domains that were already being used by other security researchers at abuse.ch, who were reporting to Shadowserver, a non-profit that shares botnet threat data with members, including ISPs and national Computer Emergency Response Teams.

BotnetMicrosoft, what are you doing?

Microsoft seized more than 300 domain names that where sinkholed by abuse.ch,the unnamed researcher claimed, saying something similar happened when Microsoft carried out action against thousands of Zeus botnet domains last year.

Despite the fact that the researcher set up a registry to check what domains had already been sinkholed, Microsoft went ahead and took over the domains anyway. He claimed over sinkhole operators had been affected too.

“I had hoped that Microsoft had learned their lesson, but apparently nothing has changed and my efforts didn’t change anything,” they wrote.

“Since Citadel domain names previously sinkholed by abuse.ch have been grabbed by Microsoft, Shadowserver will not be able to report the IP addresses of infected clients calling home to these domains to the network owners any more.

“I can say that nearly 1000 domain names out of the 4000 domain names seized by Microsoft had already been sinkholed by security researchers. In fact these 1000 domain names did no longer present a threat to internet users, but were actually used to help to make the internet a better place.”

Researchers are also concerned about Microsoft executing code on infected machines, via Citadel configuration files. Microsoft does this to stop machines reverting to non-sinkholed back-up command and control servers.

But Microsoft isn’t asking victims’ permission to run code on their PCs, even if they’re outside of the US where the tech titan gained a court’s permission to seize domains, which could be illegal in some countries.

Claudio Guarnieri, member of Shadowserver and researcher at Rapid7, urged Microsoft to “coordinate with other researchers before taking over domains from already ongoing takedown and sinkholing efforts”.

He told TechWeekEurope it would be better if Microsoft sinkholed domains and notified the owners of infected IPs about an ongoing infection. “And don’t execute code,” Guarnieri added.

“This is indeed a bold move that needs to be discussed in the security community [because] if everyone starts getting the liberty to do the same, it’d become complete and unmanageable chaos.”

Microsoft had not offered comment at the time of publication.

UPDATE: Microsoft has now responded to the situation, defending its actions, saying it was doing what it was doing for the good of Internet users. “Microsoft’s commitment to trustworthy partnership with the research and enforcement community to help protect the public from cyber threats remains unchanged.  We will continue to partner closely in disruptive action with the security community globally to help protect our customers and increase the risk and costs for cyber crime to both deter crime and put cyber criminals out of business,” a spokesperson said.

Microsoft also justified its execution of code on infected machines: “This operation was designed to help restore victims’ ability to access the tools they need in order to regain control of their computers and does not change people’s computer settings.  Citadel blocked its victims’ ability to access many legitimate anti-virus and anti-malware sites in order to prevent them from being able to remove the malware from their computer.

“In order for victims to clean their computers, the court order from the U.S. District Court for the Western District of North Carolina allowed Microsoft to unblock these sites when computers from around the world checked into any US-based command and control structure for Citadel under the court’s jurisdiction.

“This was done under legal authority from the court in order to restore victims’ access to critical anti-virus and anti-malware sites – access that Citadel had taken from victims without their consent or, often, without their knowledge.

“For command and control infrastructure in other countries, we have relied on the voluntary assistance of CERTs in each country to determine the appropriate approach, pursuant to local law and considerations.

What do you know about Internet security? Find out with our quiz!